Wall, Stephen
2019-May-15 12:18 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds
> New CPU microcode may be available in a BIOS update from your system vendor, > or by installing the devcpu-data package or sysutils/devcpu-data port. > Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. > > If using the package or port the microcode update can be applied at boot time > by adding the following lines to the system's /boot/loader.conf: > > cpu_microcode_load="YES" > cpu_microcode_name="/boot/firmware/intel-ucode.bin"Is this applicable in a virtualized environment, or only on bare metal? If not applicable in a VM, is it at least harmless? Thanks - Steve Wall
mike tancsa
2019-May-15 13:32 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds
On 5/15/2019 8:18 AM, Wall, Stephen wrote:>> New CPU microcode may be available in a BIOS update from your system vendor, >> or by installing the devcpu-data package or sysutils/devcpu-data port. >> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. >> >> If using the package or port the microcode update can be applied at boot time >> by adding the following lines to the system's /boot/loader.conf: >> >> cpu_microcode_load="YES" >> cpu_microcode_name="/boot/firmware/intel-ucode.bin" > Is this applicable in a virtualized environment, or only on bare metal? > If not applicable in a VM, is it at least harmless?Actually, just tried this on RELENG_11 (r347613)? and I get don't know how to load module '/boot/firmware/intel-ucode.bin' In boot/loader.conf I have cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" # ls -l /boot/firmware/intel-ucode.bin -rw-r--r--? 1 root? wheel? uarch 2571264 May 15 08:47 /boot/firmware/intel-ucode.bin # sha256 /boot/firmware/intel-ucode.bin SHA256 (/boot/firmware/intel-ucode.bin) 1fdb3a25467d285394eded8039ee8ab488f074903654981d35a4cdfe6ebf12fc
Jan Bramkamp
2019-May-15 14:29 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds
On 15.05.19 14:18, Wall, Stephen wrote:>> New CPU microcode may be available in a BIOS update from your system vendor, >> or by installing the devcpu-data package or sysutils/devcpu-data port. >> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. >> >> If using the package or port the microcode update can be applied at boot time >> by adding the following lines to the system's /boot/loader.conf: >> >> cpu_microcode_load="YES" >> cpu_microcode_name="/boot/firmware/intel-ucode.bin" > Is this applicable in a virtualized environment, or only on bare metal? > If not applicable in a VM, is it at least harmless?Afaik you can't modify the microcode inside a VM, but give them time. I'm sure Intel optimized that security check away as well in some corner case yet to be discovered.